Please stop posting your X-rays to social media

Social media is fun. Posting pictures and sharing them with friends is a great technology. But please, we beg you, stop posting your medical imaging results to Instagram, Twitter, and Facebook. Why? What if you get a gnarly fracture from a really awesome snowboarding stunt and you want to share your battle wounds? Let’s start small and see where an X-ray or MRI can take us.

Personally Identifiable Information

This slideshow requires JavaScript.

Depending on the facility, your X-ray or MRI might have your full name, date of birth, social security number, name, and the name of the facility in question. This much information is good when your doctor needs to know with 100% certainty that you are you and are tied to your medical records. It’s bad when it’s on Twitter.

Doxxing

This slideshow requires JavaScript.

Disclosure of one piece of personal information feels inconsequential. But multiple, low-value pieces of information disclosed on multiple platforms can yield an analytic chain that can uncover more serious data. For an X-ray, your name, and the name of a hospital seem fairly trivial and non-threatening. But the hospital name provides your probable city of residence, which in conjunction with your name, often provide property, tax, and voting records. Public data brokers often organize their best guess matching name and phone number by the city.

Meaning: a bad guy holding his target’s X-ray can have hard validation on the city of residence, which in turn allows him to validate anything else of yours he steals to exclude other people with the same name. It’s a neat trick, with the only real defense being to not post personal information online if its something you can’t change easily. (Your fingerprint, city of residence, name, etc.)

Endangering your hospital/doctor’s entire network

And sometimes the machines taking the pictures can be networked. (Yes, there is an absolute landslide of issues surrounding why and how an X-ray machine should be connected to a network, but that is a series of blogs for another time.) Take a look at this X-ray:

Public facing server redacted

This person has wisely cropped out their own name, but if you check out the bottom right corner, you’ll see the active user account in the program. Not extremely alarming, but further is “Server: [redacted].” Very, very alarming! Perhaps the server receiving the image is a local machine that’s aair-gapped from the Internet but needs to receive images from multiple machines in an office or hospital. (If you are a security professional reading this, we know that this is extremely unlikely.) So, taking the server name and plugging it into a public metadata search tool, we find:

The image was taken in 2014, but the server is still active as of writing

The server is web facing

The WHOIS on the web server is public

All of the server’s subdomains are enumerated

Traversing the subnet reveals what is most likely a medical record server

Yikes. Medical infrastructure security has problems. A lot of problems. But while the responsibility for an insecure network lies with the organization running it, posting photos that have exploitable information is also not a great thing. Given that vulnerabilities in the medical space can have catastrophic consequences, we should take extra care before exposing any data from inside a hospital or doctor’s office.

But I really, really want to post pics!

Use a crop tool. On a Mac, Command+Shift+4 brings up a resizable frame that can be used to crop out data that is none of the Internet’s business. On a PC, Select the Start button, type snipping tool in the search box on the taskbar, and then select Snipping Tool from the list of results. Remember that you are not only cropping out your information, but also the medical facility’s.

This slideshow requires JavaScript.

On Instagram, you can follow the instructions here to crop your photo. On Twitter, maybe you just shouldn’t, unless your account is private.

A good question to ask before you post is “Do I want people I don’t know to have this information, and do whatever they want with it, for as long as they want?” If the answer is no, take a pause before hitting submit and check out our post here on securing your social media profile.

October 14, 2016 - The UK’s Crown Prosecution Services (CPS) has recently updated its social media guidelines for prosecutors and law enforcement in an effort to aid them in deciding on whether charges can be pressed against internet users based on certain online behaviors.

February 15, 2016 - A short explanation about what doxing is, namely gathering personally identifiable information with intent or threat to publicize it, and we tried to give some pointers about prevention.